The journeys of a shift-key challenged unix desperado

Random DTrace Tip: You Can’t Trace sbrk Because It’s Not A Syscall

The DTrace syscall provider is one of the most useful (and most used)
providers. Typically, people use the syscall provider to log and aggregate
any subset (or the entire set) of system calls made by an application.

For instance,

dtrace -n 'syscall::brk:entry {@[arg0] = count();}'

will trace all the brk system calls made, and count the number of times that
an argument was passed to it.

However,

dtrace -n 'syscall::sbrk:entry {@[arg0] = count();}'

will not work.

This is because, while brk() and sbrk() are valid Unix interfaces, used to
modify the size of the calling process’s data segment, they aren’t system
calls. They are functions in the standard C library that comes with Illumos (or
some other DTrace-enhanced system), that wrap around a system call.

In our case, Illumos only supports a system call that is identified as brk.

] dtrace -l -n 'syscall:::entry' | grep brk
72078 syscall brk entry

As it turns out, both the sbrk() function and brk() function are
implemented in terms of the brk system call.